A service account
provides non-interactive and non-human access to services and APIs to the
components of the SDDC. You must create service accounts for accessing
functionality on the SDDC nodes, and user accounts for operations and tenant
administration.

Service
Accounts

A service account is a
standard Active Directory account that you configure in the following way:

■

The password never expires.

■

The user cannot change the password.

■

The account must have the right to join
computers to the Active Directory domain.

Service Accounts in
This VMware Validated Design

This validated design
introduces a set service accounts that are used in a one- or bi-directional
fashion to enable secure application communication. You use custom roles to
ensure that these accounts have only the least permissions that are required
for authentication and data exchange.

Service Accounts in
VMware Validated Design for Software-Defined Data Center

Application-to-Application or
Application Service Accounts in the VMware Validated Design

Username

Source

Destination

Description

Required Role

svc-nsxmanager

NSX for vSphere Manager

vCenter Server

Service account for registering NSX Manager
with vCenter Single Sign-on on the Platform Services Controller and vCenter
Server for the management cluster and for the compute and edge clusters

Administrator

svc-loginsight

vRealize Log Insight

vCenter Server

Service account for using the Active Directory
as an authentication source in vRealize Log Insight and for connecting vRealize
Log Insight to vCenter Server and ESXi in order to forwarding log information

Log Insight User

svc-vdp

vSphere Data Protection

vCenter Server

Service account for registering vSphere Data
Protection with vCenter Server for the management cluster

vSphere Data Protection User

svc-srm

Site Recovery Manager

vCenter Server

Service account for connecting Site Recover
Manager to vCenter Server and to pair sites in Site Recovery Manager

Single Sign-On Administrator

svc-vr

vSphere Replication

vCenter Server

Service account for connecting vSphere
Replication to vCenter Server and to pair vSphere Replication instances

Single Sign-On Administrator

svc-vra

vRealize Automation

■

vCenter Server

■

vRealize
Automation

Service account for access from vRealize
Automation to vCenter Server. This account is a part of the vRealize Automation
setup process.

Administrator

svc-vro

vRealize Orchestrator

vCenter Server

Service account for access from vRealize
Orchestrator to vCenter Server

Administrator

svc-vrops

vRealize Operation Manager

Management Packs:
vSphere, NSX-vSphere

vCenter Server

Service account for connecting vRealize
Operations Manager to the Management vCenter Server and Compute vCenter Server

Read-Only

svc-mpsd-vrops

vRealize Operations Manager

Management Pack: MPSD

vCenter Server

Service account for storage device monitoring
of the Management vCenter Server and Compute vCenter Server from vRealize
Operations Manager

MPSD Metrics User

svc-vrops-nsx

vRealize Operations Manager

Management Pack:
NSX-vSphere

NSX for vSphere

Local service account for connecting the NSX
for vSphere adapter for vRealize Operations Manager to the Management and
Compute NSX Managers

Enterprise Administrator

svc-vrops-vra

vRealize Operations Manager

Management Pack: vRA

vRealize Automation

Service account for connecting the vRealize
Automation adapter for vRealize Operations Manager to vRealize Automation

■

Tenant
administrator

■

IaaS administrator

■

Fabric
administrator

■

Software Architect

svc-vrli-vrops

vRealize Log Insight

vRealize Operations Manager

Service account for connecting vRealize Log
Insight to vRealize Operations Manager for log forwarding, and for alerts and
Launch in Context integration

Administrator

svc-vra-vrops

vRealize Automation

vRealize Operations Manager

Service account for integration of health
statistics from vRealize Operations Manager in the vRealize Automation portal

Read-Only

svc-umds

vSphere Update Manager Download Service

--

Local service account for configuring the
Update Manager Download Service on the host virtual machine

Administrator

User Accounts in
the Parent Domain

Create the following user
accounts in the parent Active Directory domain rainpole.local:

User Accounts in the
rainpole.local Parent Domain

User Name

Description

Service Account

Member of Groups

ITAC-TenantAdmin

Tenant administrator role
in the SDDC for configuring vRealize Automation according to the needs of your
organization including user and group management, tenant branding and
notifications, and business policies.

No

■

RAINPOLE\ug-ITAC-TenantAdmins

■

RAINPOLE\ug-vROAdmins

ITAC-TenantArchitect

Tenant blueprint
architect role in the SDDC for creating the blueprints that tenants request
from the service catalog.

No

RAINPOLE\ug-ITAC-TenantArchitects

Users in the Child
Domains

Create the following accounts
for user access in each of the child Active Directory domain,
sfo01.rainpole.local and lax01.rainpole.local, to provide centralized user
access to the SDDC. In the Active Directory, you do not assign any special
rights to these accounts other than the default ones.

User Accounts in the
sfo01.rainpole.local and lax01.rainpole.local Child Domains